Welcome to the website of the Digital Media Law Project. The DMLP was a project of the Berkman Klein Center for Internet & Society from 2007 to 2014. Due to popular demand the Berkman Klein Center is keeping the website online, but please note that the website and its contents are no longer being updated. Please check any information you find here for accuracy and completeness.

Legal Resources for Digital Media

Search form

Censorship

Baidu, the operator of China’s most popular search engine, has won the dismissal of a United States lawsuit brought by pro-democracy activists who claimed that the company violated their civil rights by preventing their writings from appearing in search results. In the most thorough and persuasive opinion on the issue of search engine bias to date, a federal court ruled that the First Amendment protects the editorial judgments of search engines, even when they censor political speech.

Status:

Concluded

Disposition:

Injunction Denied

Withdrawn

Description:

According to the complaint, Zack Anderson, RJ Ryan, and Alessandro Chiesa were undergraduate students at the Massachusetts Institute of Technology (MIT). The students claimed to have discovered a vulnerability in the "CharlieCard" and "CharlieTicket" automated fare collection systems used by the Massachusetts Bay Transportation Authority (MBTA) for Boston area public transit. The students planned to share their research at the DEFCON computer security conference on August 10, 2008. Their description of the presentation, as quoted in the complaint, was as follows:

Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card [sic], we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subway systems around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We go over social engineering attacks we executed on employees, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote to perform these attacks. With live demos, we will demonstrate how we broke these systems.

When the MBTA learned of their planned presentation, they arranged a meeting with the MIT students and MIT Professor Ronald Rivest, who specializes in network security. According to the court records, the students met with the MBTA on August 5, but refused to provide the MBTA with materials they planned to present, and instead agreed to provide a three-page summary of the vulnerabilities they found. The students also modified their event description to remove the reference to "free subway rides for life," and made other small alterations to the event description.

On August 8, 2008 the MBTA filed a complaint and motion for a temporary restraining order against the students and MIT. The complaint alleged that the students committed a violation of the Computer Fraud and Abuse Act (CFAA) by transmitting information that caused damage to computers. The complaint also alleged that the students committed the common law torts of conversion and trespass to chattels by intercepting MBTA rider fares, that MIT negligently supervised the students by failing to instruct the students to "responsibly disclose information concerning perceived security flaws," and that all four defendants committed a violation of Massachusetts's unfair and deceptive trade practices statute, M.G.L. Ch. 93A § 11.

The complaint sought an order preventing the students from "offering to provide software tools or demonstrations to allow others to duplicate the attacks referenced," from "providing information or materials that would assist another in any material way to circumvent the security of the" CharlieCard system, from "publicly stating or indicating that the security or integrity" of the system "has been compromised," from "further circulating" the conference panel announcement, from suggesting that "MIT endorses or approves of the activities" described, and from "declining to provide the MBTA and its vendors with information sufficient to replicate, test, and repair the purported security flaws."

On Saturday, August 9, 2008, U.S. District Court Judge Douglas Woodlock (acting as duty judge covering court matters over the weekend) issued a temporary restraining order forbidding the students from "providing program, information, software code, or command that would assist another in a material way to circumvent or otherwise attack the security of" the MBTA fare system. Per the Federal Rules of Civil Procedure in effect at that time, the injunction was scheduled to last for ten days. At oral argument, Judge Woodlock stated that the planned DEFCON presentation would constitute"transmission" of a program, and that the possible harm to MBTA fare collection constituted "damage," for CFAA purposes. The court also indicated that if someone were to use this information to evade fare collection the students would be aiders and abettors of that crime.

The court noted a possible First Amendment issue with the order, but stated "there's a balance that has to be drawn at various points," and that "we can't expect people in their early 20s to have sufficient judgment or experience to avoid causing those clashes of interest between something as broad and as important as the First Amendment and the need to avoid actual criminal conduct of which words are the constituent elements." The students argued that they had met with the MBTA and provided a report addressing their discovered vulnerabilities and what they planned to present at DEFCON, but the court found that insufficient to remove the risk of irreparable harm.

On August 11, the MBTA filed a motion to modify the terms of the restraining order, to clarify that the injunction only applies to "non-public" information related to the fare collection system. On August 12, the students responded, opposing the modification of the order and moving to have the court reconsider the restraining order altogether. The students argued that the order was an unconstitutional prior restraint on speech, as it prohibited the students' speech without a showing of an intent to induce any unlawful activity, or any other state interest of the highest order. The students further argued that the MBTA failed to show a likelihood of success on the merits of their CFAA claim, as the legislative history and statutory
interpretation of the relevant section of the CFAA suggested that it applied only when a person actually transmits code to a protected computer, and not one's mere description of vulnerabilities. The students also noted that the MBTA's disclosure of the students' presentation slides in a public filing in the current action undermined their claim that an injunction was necessary.

On August 14, 2008, the MBTA responded to the students' motion. The MBTA argued that while some of the material related to their fare system was now public in light of the disclosure of the DEFCON slides, there remained non-public information that the students might share, including the source code of the program they used to read and alter the fare cards. The MBTA further argued that the CFAA's language extends to transmitting damaging "information," and not just software, and that the students' planned speech would advocate violation of the law, and would thus be unprotected by the First Amendment under Brandenburg v. Ohio.Finally, the MBTA argued that the presentation was not "research," but was instead commercial speech, and that the students failed to follow industry standards for responsible disclosure of a data breach.

In a reply filed on August 18, the students argued that the factual record contradicted the claim that the students planned to share anything beyond what was already in the public docket of this court case. The students further argued that the MBTA failed the basic standard for injunctive relief as there was no immediate risk of harm. They also argued that adherence to industry standards for responsible disclosure was not required by law and, if compelled, would lead to censorship of important public information. (To support this, the students also provided a letter from eleven computer science professors and computer scientists discussing responsible disclosure.) The reply also argued that the students were discussing matters of policy and not engaging in commercial speech, as evidenced by the use of the student's research in numerous news articles addressing the data security of the CharlieCard system.

On August 14, Judge George O'Toole, the assigned judge for the case, held a hearing to determine whether the temporary restraining order should remain in effect for the full ten days that it was issued. Judge O'Toole allowed the restraining order to remain in place, and granted the MBTA's motion for limited discovery against the students in preparation of the MBTA's motion to convert the restraining order into a preliminary injunction. The court allowed the MBTA to obtain: written correspondence, as well as "permissions, waivers, and other agreements" between the students and the DEFCON organizers; a copy of a MIT class paper that the students wrote, which served the basis of the presentation; copies of all software tools the students intended to distribute as part of the DEFCON presentation; and copies of any other materials the students planned to distribute.

On August 17, 2008, the students filed a motion for reconsideration of the court's discovery order as it applied to the the class paper and planned presentation software and materials. The students argued that such material is exempt from disclosure under the First Circuit's decision in Cusumano v. Microsoft, which protects certain academic sources and work product from disclosure. The students argued that the MBTA, a governmental agency, was seeking impermissible pre-publication review of academic work product.

On August 18, the MBTA filed a motion for a preliminary injunction. In its supporting memorandum, in addition to the arguments made previously, the MBTA argued that there remained information that the students had yet to disclose to the MBTA and the court about their planned presentation, including the software they planned to share. The MBTA also included a declaration from Systems Project Manager Scott Henderson, who stated that some of the cards used in the presentation had been used on the MBTA system illegally, based on the MBTA's own audit. The MBTA sought an injunction against the dissemination of this information for five months, in order to give them time to implement security upgrades to the system.

At a hearing on August 19, 2008 the court denied the preliminary injunction and dissolved the temporary restraining order. The court found that the MBTA had failed to show a likelihood of success on the merits of their CFAA claim, indicating that discussion of security topics is not likely to be not be "transmission" of code, commands, or information under the CFAA, as the statute's terms suggest that such transmission would need to be technical instead of informational in order for the statute to apply. The court also raised doubts as to whether the required $5000 of loss under the CFAA had be sufficiently demonstrated, finding the possible loss of future MBTA revenue as "a matter of possibility but [not] sufficiently established to support the injunction requested." The court noted that it was "mak[ing] that point in the first instance without reference to the First Amendment, what it may or may not guarantee under these circumstances," but also noted the valid public interest in such disclosures and discussions.

On October 7, 2008, the MBTA and student defendants filed a stipulation of dismissal, dismissing the claims against the students with prejudice and without costs. On December 22, 2008 the Electronic Frontier Foundation released a statement indicating that the MBTA and MIT students are now working together to improve the data security of the MBTA system. The claims against MIT were dismissed on February 3, 2009.

In the days of unwarranted government surveillance and elaborate data collection, people increasingly rely on anonymizing services to keep their online activities private, such as proxy servers, encrypted cloud storage, and virtual private networks. Virtual private networks, or VPNs, route online communications through a secure and encrypted private network to a remote server (sometimes in a jurisdiction with greater protection for freedom of speech or weaker law enforcement).

For me, thinking about one of the Obama administration's latest initiatives to keep us all safe online is like one of those pattern recognition puzzles (you know, like "What is the next term in this sequence: O, T, T, F, F, S, S, E, N, __?"). Here, the sequence is:

Arizona State Representative Michelle Ugenti (R-Scottsdale) introduced Arizona House Bill 2004 in December, which would amend Arizona’s criminal code and make it a class 5 felony to impersonate somebody online, including, specifically, on a social networking site. A class 5 felony carries in Arizona a presumptive sentence of a year and a half imprisonment. Rep.

Last October I wrote about the rise in popularity among French Twitter users of the hashtag #unbonjuif ("a good jew"). In December we saw a growth in other offensive hashtags, including the homophobic #Simonfilsestgay, ("if my son is gay") or the xenophobic #SimaFilleRamèneUnNoir ("if my daughter brings a Black man home").

On October 16, the Union des Étudiants Juifs Français (Union of French Jewish Students, UEJF) asked Twitter to remove several racist and anti-Semitic tweets. Using the hashtags #unbonjuif and #unbonmusulman ("agoodjew" and "agoodmuslim," respectively), some Twitter users were posting derogatory comments about Jews and Muslims, some allegedly meant to be 'jokes.'

On June 28, 2012, the U.S. Supreme Court held that the Stolen Valor Act is unconstitutional because it penalizes speech (albeit false speech) without consideration of less restrictive alternatives or a clear connection between the speech and the harm sought to be prevented. In U.S. v.

When hearing the expression “lèse majesté,” images of the Queen of Hearts ordering heads to be chopped off ASAP may come to mind. Marie-Antoinette, the queen who was once a “majesté” in France, herself lost her head during the French Revolution. Surely, the crime of lèse majesté is now a thing of the past?

A pedicab driver was arrested in D.C. recently for pretending to record police arresting one of his passengers. He wasn’t actually filming anything – apparently he wasn’t even sure how to operate his new camera.

Legal Claims:

Publication Medium:

Relevant Documents:

Status:

Pending

Description:

According to CBS, on July 29, 2011, Philip Datz ("Datz") was in Bohemia, New York filming police activity following a car chase as a videographer for the Stringer News Service. During the course of his filming, Suffolk County Police Sergeant Michael Milton ("Milton") approached and ordered him to leave. Datz moved approximately a block from where he was initially located and continued to film the police activity. Milton approached Datz a second time, arrested him, and seized his camera and videotape. (Datz's recording of the encounter can be viewed here.)

Datz was charged with obstructing governmental administration, N.Y. Penal Law § 195.05. The charge was later dismissed.

On April 11, 2012, Datz filed a lawsuit in the United States District Court in the Eastern District of New York against Milton and Suffolk County, alleging that the police violated Datz's rights under the First, Fourth, and Fourteenth Amendments of the United States Constitution, Article I, Sections 8 and 12 of the New York State Constitution, as well as the Privacy Protection Act (42 U.S.C. § 2000aa). The complaint also contains claims of false arrest, assault, and battery. According to the complaint, Suffolk County Police seized the videotape from his camera as evidence and held it until one hour after his release that evening.

The complaint also makes several allegations in support for its demand
for injunctive relief against Suffolk County barring the county from
obstructing journalists and members of the public who are recording
police activity in public places. These allegations include several other incidents where Suffolk County police and firemen ordered Datz to stop filming police activity from public property, and some instances the police deliberately expanded crime scene perimeters to keep the press from filming crime scenes.

Last Thursday, Twitter announced that it would start censoring tweets by denying access to specific tweets in countries where those tweets would be illegal. Naturally, this has caused a lot of concern online.

The day of protest against the now (hopefully) infamous "Stop Online Piracy Act" (SOPA) and "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011" (PROTECT IP Act, or PIPA) has ended. Baffled students can once again access Wikipedia to do their homework; the Google doodle is no longer black

We are looking for contributing authors with expertise in media law, intellectual property, First Amendment, and other related fields to join us as guest bloggers. If you are interested, please contact us for more details.

Main menu

Copyright 2007-19 Digital Media Law Project and respective authors. Except where otherwise noted,content on this site is licensed under a Creative Commons Attribution-Noncommercial-ShareAlike 3.0 License: Details.Use of this site is pursuant to our Terms of Use and Privacy Notice.